def test_validate_rules_canon(self):
rules = {
"inbound_rules": [
{"protocol": "tcp", "ip_version": 4, "src_net": "10/8",
"dst_net": "11.0/16", "src_ports": [10, "11:12"],
"action": "allow"},
{"protocol": "tcp", "src_net": None},
],
"outbound_rules": [
{"protocol": "tcp", "ip_version": 6,
"src_net": "2001:0::1/128", "dst_net": "2001:0::/64",
"icmp_type": 7, "icmp_code": 10,
"action": "deny"}
],
}
common.validate_profile("profile_id", rules)
# Check IPs get made canonical.
self.assertEqual(rules, {
"inbound_rules": [
{"protocol": "tcp", "ip_version": 4, "src_net": "10.0.0.0/8",
"dst_net": "11.0.0.0/16", "src_ports": [10, "11:12"],
"action": "allow"},
{"protocol": "tcp"},
],
"outbound_rules": [
{"protocol": "tcp", "ip_version": 6,
"src_net": "2001::1/128", "dst_net": "2001::/64",
"icmp_type": 7, "icmp_code": 10,
"action": "deny"}
],
})
def test_validate_rules_canon(self):
rules = {
"inbound_rules": [
{"protocol": "tcp", "ip_version": 4, "src_net": "10/8",
"dst_net": "11.0/16", "src_ports": [10, "11:12"],
"action": "allow",
"log_prefix": "foo!@#$012345678901234567890123456789"},
{"action": "log"},
{"protocol": "tcp", "src_net": None},
],
"outbound_rules": [
{"protocol": "tcp", "ip_version": 6,
"src_net": "2001:0::1/128", "dst_net": "2001:0::/64",
"icmp_type": 7, "icmp_code": 10,
"action": "deny"}
],
}
common.validate_profile("profile_id", rules)
# Check IPs get made canonical.
self.assertEqual(rules, {
"inbound_rules": [
{"protocol": "tcp", "ip_version": 4, "src_net": "10.0.0.0/8",
"dst_net": "11.0.0.0/16", "src_ports": [10, "11:12"],
"action": "allow",
"log_prefix": "foo____01234567890123456789"},
{"action": "log"},
{"protocol": "tcp"},
],
"outbound_rules": [
{"protocol": "tcp", "ip_version": 6,
"src_net": "2001::1/128", "dst_net": "2001::/64",
"icmp_type": 7, "icmp_code": 10,
"action": "deny"}
],
})
def parse_profile(profile_id, raw_json, require_selector=False,
require_order=False):
rules = safe_decode_json(raw_json, log_tag="rules %s" % profile_id)
try:
common.validate_profile(profile_id, rules)
except ValidationFailed as e:
_log.exception("Validation failed for profile %s rules: %s",
profile_id, rules)
return None
else:
return rules
def parse_profile(profile_id, raw_json, require_selector=False,
require_order=False):
rules = safe_decode_json(raw_json, log_tag="rules %s" % profile_id)
try:
common.validate_profile(profile_id, rules)
except ValidationFailed as e:
_log.exception("Validation failed for profile %s rules: %s",
profile_id, rules)
return None
else:
return rules
def test_validate_rules(self):
profile_id = "valid_name-ok."
rules = {'inbound_rules': [], 'outbound_rules': []}
common.validate_profile(profile_id, rules.copy())
with self.assertRaisesRegexp(
ValidationFailed, "Expected profile 'valid_name-ok.' to "
"be a dict"):
common.validate_profile(profile_id, [])
with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"):
common.validate_profile("a&b", rules.copy())
with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"):
common.validate_policy(TieredPolicyId("+123", "abc"), rules.copy())
with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"):
common.validate_policy(TieredPolicyId("abc", "+"), rules.copy())
# No rules.
with self.assertRaisesRegexp(ValidationFailed, "No outbound_rules"):
common.validate_profile(profile_id, {'inbound_rules': []})
with self.assertRaisesRegexp(ValidationFailed, "No inbound_rules"):
common.validate_profile(profile_id, {'outbound_rules': []})
rules = {'inbound_rules': 3, 'outbound_rules': []}
with self.assertRaisesRegexp(
ValidationFailed,
"Expected rules\[inbound_rules\] to be a list"):
common.validate_profile(profile_id, rules.copy())
rule = "not a dict"
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Rule should be a dict"):
common.validate_profile(profile_id, rules.copy())
rule = {'bad_key': ""}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Rule contains unknown keys"):
common.validate_profile(profile_id, rules)
rule = {'protocol': "bloop"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(
ValidationFailed, "Invalid protocol bloop in rule "
"{'protocol': 'bloop'}"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 5}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid ip_version in rule"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 4, 'protocol': "icmpv6"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Using icmpv6 with IPv4"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 6, 'protocol': "icmp"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Using icmp with IPv6"):
common.validate_profile(profile_id, rules)
rule = {'src_tag': "abc", 'protocol': "icmp"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
common.validate_profile(profile_id, rules)
rule = {'src_tag': "abc", 'protocol': "123"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
common.validate_profile(profile_id, rules)
rule = {'protocol': "256"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol 256 in rule"):
common.validate_profile(profile_id, rules)
rule = {'protocol': "0"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol 0 in rule"):
common.validate_profile(profile_id, rules)
rule = {'src_tag': "a!b", 'protocol': "icmp"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid src_tag"):
common.validate_profile(profile_id, rules)
rule = {'dst_tag': "x,y", 'protocol': "icmp"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_tag"):
common.validate_profile(profile_id, rules)
rule = {'src_selector': "a!b"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid src_selector"):
common.validate_profile(profile_id, rules)
rule = {'dst_selector': "+b"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_selector"):
common.validate_profile(profile_id, rules)
rule = {'src_net': "nonsense"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"):
common.validate_profile(profile_id, rules)
rule = {'dst_net': "1.2.3.4/16", 'ip_version': 6}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"):
common.validate_profile(profile_id, rules)
rule = {'src_ports': "nonsense"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Expected ports to be a list"):
common.validate_profile(profile_id, rules)
rule = {'dst_ports': [32, "nonsense"]}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid port"):
common.validate_profile(profile_id, rules)
rule = {'action': "nonsense"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid action"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': "nonsense"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is not an integer"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': -1}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 256}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 22, 'icmp_code': "2"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is not an integer"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 0, 'icmp_code': -1}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 0, 'icmp_code': 256}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_code': 2}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code specified without ICMP type"):
common.validate_profile(profile_id, rules)
def test_validate_rules(self):
profile_id = "valid_name-ok."
rules = {'inbound_rules': [],
'outbound_rules': []}
common.validate_profile(profile_id, rules.copy())
with self.assertRaisesRegexp(ValidationFailed,
"Expected profile 'valid_name-ok.' to "
"be a dict"):
common.validate_profile(profile_id, [])
with self.assertRaisesRegexp(ValidationFailed,
"Invalid profile ID"):
common.validate_profile("a&b", rules.copy())
with self.assertRaisesRegexp(ValidationFailed,
"Invalid profile ID"):
common.validate_policy(TieredPolicyId("+123", "abc"),
rules.copy())
with self.assertRaisesRegexp(ValidationFailed,
"Invalid profile ID"):
common.validate_policy(TieredPolicyId("abc", "+"),
rules.copy())
# No rules.
with self.assertRaisesRegexp(ValidationFailed,
"No outbound_rules"):
common.validate_profile(profile_id, {'inbound_rules': []})
with self.assertRaisesRegexp(ValidationFailed,
"No inbound_rules"):
common.validate_profile(profile_id, {'outbound_rules': []})
rules = {'inbound_rules': 3,
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Expected rules\[inbound_rules\] to be a list"):
common.validate_profile(profile_id, rules.copy())
rule = "not a dict"
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Rule should be a dict"):
common.validate_profile(profile_id, rules.copy())
rule = {'bad_key': ""}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Rule contains unknown keys"):
common.validate_profile(profile_id, rules)
rule = {'protocol': "bloop"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol bloop in rule "
"{'protocol': 'bloop'}"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 5}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid ip_version in rule"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 4,
'protocol': "icmpv6"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Using icmpv6 with IPv4"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 6,
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Using icmp with IPv6"):
common.validate_profile(profile_id, rules)
rule = {'src_tag': "abc",
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
common.validate_profile(profile_id, rules)
rule = {'src_tag': "abc",
'protocol': "123"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
common.validate_profile(profile_id, rules)
rule = {'protocol': "256"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol 256 in rule"):
common.validate_profile(profile_id, rules)
rule = {'protocol': "0"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol 0 in rule"):
common.validate_profile(profile_id, rules)
rule = {'src_tag': "a!b",
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid src_tag"):
common.validate_profile(profile_id, rules)
rule = {'dst_tag': "x,y",
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid dst_tag"):
common.validate_profile(profile_id, rules)
rule = {'src_selector': "a!b"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid src_selector"):
common.validate_profile(profile_id, rules)
rule = {'dst_selector': "+b"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid dst_selector"):
common.validate_profile(profile_id, rules)
rule = {'src_net': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid CIDR"):
common.validate_profile(profile_id, rules)
rule = {'dst_net': "1.2.3.4/16",
'ip_version': 6}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid CIDR"):
common.validate_profile(profile_id, rules)
rule = {'src_ports': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Expected ports to be a list"):
common.validate_profile(profile_id, rules)
rule = {'dst_ports': [32, "nonsense"]}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid port"):
common.validate_profile(profile_id, rules)
rule = {'action': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid action"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is not an integer"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': -1}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 256}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 22,
'icmp_code': "2"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is not an integer"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 0,
'icmp_code': -1}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 0,
'icmp_code': 256}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_code': 2}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code specified without ICMP type"):
common.validate_profile(profile_id, rules)
